The European Union's General Data Protection Regulation (GDPR) was implemented on May 25, 2018, after years of discussion and recent lobbying by international regulators.
As reported by Reuters on June 25, officials are warning that a failure to explicitly exempt market regulators from GDPR could jeopardize international investigations into market manipulation and fraud, including those related to cryptocurrencies, as well as any subsequent enforcement actions. This includes investigations being conducted by the US.
In its directive to protect the personal data privacy for EU citizens, GDPR imposes new conditions and extra privacy safeguards for cross-border personal data transfers. Before GDPR came into force, a clear exemption existed for regulators to gain and share information relevant to investigations into alleged or potential misconduct when such information sharing was in the public interest. Bank and trading account information was included in this exemption.
Though GDPR has a similar exemption, regulators argue that the language therein lacks clarity, and leaves them exposed to legal uncertainty. Cross-border information sharing, they say, could be challenged on the grounds that privacy protections in other countries are less robust than those offered by the EU.
The way that a blockchain records user and transactional data could also conflict with GDPR. The new regulation is designed for traditional centralized data storage methods. On a blockchain, encrypted records are stored on a decentralized, distributed ledger, and that data is publicly viewable anywhere in the world. In effect, the data of EU citizens could already be leaving Europe, which could be seen as illegal under GDPR.
GDPR's "right to be forgotten," which allows an individual's digital data to be erased on request, also conflicts with blockchain technology, because encrypted digital data stored to the blockchain is not easily deleted.
Global financial regulators are requesting the European Data Protection Board (EDPB), the EU body in charge of GDPR, formally agree to an "administrative arrangement," clarified in writing, that would specify exactly how the public interest exemption for cross-border information sharing should now be applied.
Reuters cited three sources in its report, two of which have said the EU is reticent to provide the requested guidance because such an exemption could be used to illegitimately avoid the privacy safeguards set by the GDPR and harm EU citizens.
Regulators involved in the conversation include the US Commodity Futures Trading Commission (CFTC), the Securities and Exchange Commission (SEC), the Ontario Securities Commission (OSC), the Japanese Financial Services Agency (FSA), Britain's Financial Conduct Authority (FCA), the Hong Kong Securities and Futures Commission (SFC), and the EU's European Securities and Markets Authority (ESMA).
A European Commission spokesperson said information sharing between EU and non-EU countries could be ensured using the mechanisms already existing within the EU data protection legislation, and that no further guidance is necessary. However, some regulators argue that the GDPR presents a threat to national sovereignty because it requires countries to implement data privacy standards in line with the EU.
The International Organization of Securities Commissions (IOSCO), representing regulators from more than 100 jurisdictions, is attempting to address the issue by creating an administrative arrangement that would allow signatories to meet the EU's GDPR standards without needing to apply the same GDPR standards across the entirety of their national laws.
Though the conflict has not yet affected cross-border cooperation, Reuters sources say that an agreement on the matter, if it comes, may take months.